This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 7de2807 Improved: post-auth Remote Code Execution Vulnerability
(OFBIZ-12332)
7de2807 is described below
commit 7de28070a356fd5a02a05d986a235fcc3f7f737a
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Oct 10 13:32:49 2021 +0200
Improved: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
Prevents an useless inevitable warning by commenting out
RequestWrapper::getParameterNames and with it all the unused methods in
RequestWrapper class
Also better comments CacheFilter::doFilter by giving its real and only goal:
<<to prevent a post-auth security issue described in OFBIZ-12332>>
---
.../org/apache/ofbiz/base/util/CacheFilter.java | 7 +-
.../org/apache/ofbiz/base/util/RequestWrapper.java | 76 +++++++++++-----------
2 files changed, 44 insertions(+), 39 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java
index 65931cf..8f05ce6 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java
@@ -44,7 +44,12 @@ public class CacheFilter implements Filter {
* 3. Optionally wrap the response object with a custom implementation to
filter content or headers for output filtering <br>
* 4. a) <strong>Either</strong> invoke the next entity in the chain using
the FilterChain object (<code>chain.doFilter()</code>), <br>
* 4. b) <strong>or</strong> not pass on the request/response pair to the
next entity in the filter chain to block the request processing<br>
- * 5. Directly set headers on the response after invocation of the next
entity in the filter chain.
+ * 5. Directly set headers on the response after invocation of the next
entity in the filter chain. <br>
+ * <br>
+ *
----------------------------------------------------------------------------------------------------<br>
+ * Actually its goal in OFBiz is simply to prevent a post-auth security
issue described in OFBIZ-12332 <br>
+ *
----------------------------------------------------------------------------------------------------<br>
+ * <br>
* @param request The request to process
* @param response The response associated with the request
* @param chain Provides access to the next filter in the chain for this
filter to pass the request and response to for further processing
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/RequestWrapper.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/RequestWrapper.java
index 70ca6af..44a2984 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/RequestWrapper.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/RequestWrapper.java
@@ -24,10 +24,10 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
+//import java.util.Collections;
+//import java.util.Enumeration;
+//import java.util.HashMap;
+//import java.util.Map;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
@@ -40,7 +40,7 @@ public class RequestWrapper extends HttpServletRequestWrapper
{
private HttpServletRequest origRequest;
private byte[] reqBytes;
private boolean firstTime = true;
- private Map<String, String[]> parameterMap = null;
+ // private Map<String, String[]> parameterMap = null;
public RequestWrapper(HttpServletRequest arg) {
super(arg);
@@ -148,37 +148,37 @@ public class RequestWrapper extends
HttpServletRequestWrapper {
return reqBytes;
}
- @Override
- public String getParameter(String name) {
- parameterMap = UtilMisc.toMap(getParameterMap());
- if (parameterMap != null) {
- String[] a = parameterMap.get(name);
- if (a == null || a.length == 0) {
- return null;
- }
- return a[0];
- }
- return null;
- }
-
- @Override
- public Map<String, String[]> getParameterMap() {
- if (parameterMap == null) {
- parameterMap = new HashMap<String, String[]>();
- parameterMap.putAll(super.getParameterMap());
- }
- return parameterMap;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public Enumeration getParameterNames() {
- return Collections.enumeration(parameterMap.values());
- }
-
- @Override
- public String[] getParameterValues(String name) {
- return parameterMap.get(name);
- }
-
+ // Those are not used, just kept in case
+ // @Override
+ // public String getParameter(String name) {
+ // parameterMap = UtilMisc.toMap(getParameterMap());
+ // if (parameterMap != null) {
+ // String[] a = parameterMap.get(name);
+ // if (a == null || a.length == 0) {
+ // return null;
+ // }
+ // return a[0];
+ // }
+ // return null;
+ // }
+ //
+ // @Override
+ // public Map<String, String[]> getParameterMap() {
+ // if (parameterMap == null) {
+ // parameterMap = new HashMap<String, String[]>();
+ // parameterMap.putAll(super.getParameterMap());
+ // }
+ // return parameterMap;
+ // }
+ //
+ // @SuppressWarnings("unchecked")
+ // @Override
+ // public Enumeration getParameterNames() {
+ // return Collections.enumeration(parameterMap.values());
+ // }
+ //
+ // @Override
+ // public String[] getParameterValues(String name) {
+ // return parameterMap.get(name);
+ // }
}
